source: mauRepo/dj_security/trunk/dj_security/views/dj_security_login.py @ 8893

'''
BSD Licence
Copyright (c) 2012, Science & Technology Facilities Council (STFC)
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, 
are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice, 
        this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright notice,
        this list of conditions and the following disclaimer in the documentation
        and/or other materials provided with the distribution.
    * Neither the name of the Science & Technology Facilities Council (STFC) 
        nor the names of its contributors may be used to endorse or promote 
        products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Created on 29 Oct 2012

@author: mnagni
'''
from django.contrib.auth import authenticate, SESSION_KEY
from django.core.context_processors import csrf
from django.conf import settings
from django_authopenid.views import not_authenticated, ask_openid,\
    signin_failure, _build_context
from django_authopenid.forms import OpenidSigninForm
from django.db.models import Q
from django.contrib.auth.backends import ModelBackend
from django.shortcuts import render_to_response as render
from django.contrib import messages

from userdb_model.models import User

import md5
import logging
import base64
from django_authopenid.utils import get_url_host
from django.core.urlresolvers import reverse
import urllib
from django.http import HttpResponseRedirect
from django.contrib.auth.forms import AuthenticationForm
from django import forms
from django.contrib.auth.signals import user_logged_in
from django.db.utils import DatabaseError
from dj_security.exception import DSJOpenIDNotFoundError, PasswordNotMaches,\
    UserNotFound
from dj_security.middleware import _encode_authenticated_response
from django.core.exceptions import ObjectDoesNotExist
from dj_security import _redirect_field_name

# Get an instance of a logger
LOGGER = logging.getLogger(__name__)

OPENID = 'openid.identity'

def error_handle(request, context):
    form = CEDAAuthenticationForm()
    context['form'] = form
    context.update(csrf(request))
    return render('login.html', context)

class CedaUserAuthenticationBackend(ModelBackend):
    """
    Extends Django's ``ModelBackend`` to allow login via username, 
    or verification token.

    Args are either ``username`` and ``password``
    and ``token``. In either case, ``is_active`` can also be given.

    For login, is_active is not given, so that the login form can
    raise a specific error for inactive users.
    For password reset, True is given for is_active.
    For signup verficiation, False is given for is_active.
    """

    def __init__(self, *args, **kwargs):
        super(CedaUserAuthenticationBackend, self).__init__(*args, **kwargs)

    def authenticate(self, **kwargs):
        if kwargs:
            username = kwargs.pop("username", None)
            if username:
                username = Q(accountid=username)
                password = kwargs.pop("password", None)
                try:
                    user = User.objects.get(username, **kwargs)
                except User.DoesNotExist:
                    raise UserNotFound()
                    pass
                else:
                    if user.md5passwd == md5.new(password).hexdigest():                        
                        return user
                    else:
                        LOGGER.error("Wrong password for username: %s" % username)
                        raise PasswordNotMaches()
   
def get_user_byopenid(user_id):
    """
        Returns a tbusers row specified by `user_id`
    - String **user_id**
        a user
    """
    try:
        return User.objects.get(openid=user_id)
    except (DatabaseError, ObjectDoesNotExist) as ex:
        logging.error("Openid: %s - Not Found" % user_id)
        raise DSJOpenIDNotFoundError(ex)   
                    
def logged_in(request):
    '''
        Retrieves the user after the openid provider authenticated him/her
    '''
    if SESSION_KEY not in request.session:
        if OPENID in request.session:
            login(request, get_user_byopenid(request.session[OPENID]))
            
    return _encode_authenticated_response_(request, context = {})    
    
def _encode_authenticated_response_(request, context):
    context['redirect_url'] = \
        base64.b64decode(request.session.get(_redirect_field_name(), ''))
    LOGGER.info("Redirecting to %s" % (context['redirect_url']))   
    return render('logged_in.html', context)  

class CEDAAuthenticationForm(AuthenticationForm):

    def __init__(self, request=None, *args, **kwargs):
        super(CEDAAuthenticationForm, self).__init__(request, *args, **kwargs)

    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            self.user_cache = authenticate(username=username,
                                           password=password)
            if self.user_cache is None:
                raise forms.ValidationError(
                    self.error_messages['invalid_login'])
            #elif not self.user_cache.is_active:
            #    raise forms.ValidationError(self.error_messages['inactive'])
        self.check_for_test_cookie()
        return self.cleaned_data

    
@not_authenticated
def signin(request, template_name='authopenid/signin.html', 
        redirect_field_name=_redirect_field_name(), 
        openid_form=OpenidSigninForm,
        auth_form=CedaUserAuthenticationBackend, 
        on_failure=None, extra_context={'is_login_page': True}):
    """Signin page. It manage the legacy authentification (user/password)  
    and authentification with openid.

    :attr request: request object
    :attr template_name: string, name of template to use
    :attr redirect_field_name: string, field name used for redirect. by 
    default 'next'
    :attr openid_form: form use for openid signin, by default 
    `OpenidSigninForm`
    :attr auth_form: form object used for legacy authentification. 
    By default AuthentificationForm form auser auth contrib.
    :attr extra_context: A dictionary of variables to add to the 
    template context. Any callable object in this dictionary will 
    be called to produce the end result which appears in the context.
    """
    if on_failure is None:
        on_failure = signin_failure
        
    if not request.session.has_key(redirect_field_name):
    
        if request.GET.has_key(redirect_field_name):
            redirect = urllib.unquote_plus(request.GET.get(redirect_field_name))
            LOGGER.debug("No redirect in session. Setting to: %s" % redirect)
            request.session[redirect_field_name] = redirect
        else:
            LOGGER.debug("No redirect in session. Setting to default: %s" % settings.LOGIN_REDIRECT_URL)
            request.session[redirect_field_name] = settings.LOGIN_REDIRECT_URL
                      
    form1 = openid_form()
    form2 = auth_form()
    if request.POST:
        if not request.session.has_key(redirect_field_name):
            request.session[redirect_field_name] = settings.LOGIN_REDIRECT_URL     
        if 'openid_url' in request.POST.keys():
            form1 = openid_form(data=request.POST)
            if form1.is_valid():
                redirect_url = "%s%s?%s" % (
                        get_url_host(request),
                        reverse('user_complete_signin'), 
                        urllib.urlencode({ redirect_field_name: 
                                          request.session[redirect_field_name]})
                )
                return ask_openid(request, 
                        form1.cleaned_data['openid_url'], 
                        redirect_url, 
                        on_failure=on_failure)
        else:
            # perform normal django authentification
            form2 = auth_form(data=request.POST)
            if form2.is_valid():
                #login(request, form2.get_user())
                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()                                                    
                response = HttpResponseRedirect(request.session.get(redirect_field_name, ''))
                return _encode_authenticated_response(request, 
                                               response, 
                                               request.session.get(redirect_field_name, ''), 
                                               form2.get_user())
            else:
                return signin_failure(request, "Wrong username and/or password")
                
    return render(template_name, {
        'form1': form1,
        'form2': form2,
        redirect_field_name: request.session.get(redirect_field_name, ''),
        'msg':  request.GET.get('msg','')
    }, context_instance=_build_context(request, extra_context=extra_context))  

def signin_failure(request, message, template_name='signin.html',
        redirect_field_name=_redirect_field_name(), openid_form=OpenidSigninForm, 
        auth_form=AuthenticationForm, extra_context=None, **kwargs):
    messages.add_message(request, messages.WARNING, message)
    LOGGER.warn(message)
    return render(template_name, {
        'msg': message,
        'form1': openid_form(),
        'form2': auth_form(),
        redirect_field_name: request.REQUEST.get(redirect_field_name, '')
    }, context_instance=_build_context(request, extra_context))     

def signin_success(request, identity_url, openid_response,
        redirect_field_name=_redirect_field_name(), **kwargs):
    
    #redirect_parameter = getattr(settings, 'REDIRECT_URL', 'r')    
    redirect_url = request.session.get(redirect_field_name, '')
    LOGGER.debug("Redirecting to %s" % (redirect_url)) 
    '''
        Retrieves the user after the openid provider authenticated him/her
    '''
    response = HttpResponseRedirect(redirect_url)
    
    if OPENID in request.REQUEST:
        try:
            return _encode_authenticated_response(request, 
                                response, 
                                redirect_url, 
                                get_user_byopenid(request.REQUEST[OPENID]))
        except DSJOpenIDNotFoundError as e:
            msg = "No user associated with OPENID %s" % (request.REQUEST[OPENID])
            messages.add_message(request, messages.WARNING, msg)
            LOGGER.warn(msg)
            return response                        
    elif SESSION_KEY in request.session:
        response = HttpResponseRedirect(redirect_url)
        return _encode_authenticated_response(request, response, redirect_url)            
    
    
   
def login(request, user):
    """
    Persist a user id and a backend in the request. This way a user doesn't
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    Overrides the django.contrib.auth.login method
    """
    if user is None:
        user = request.user
    # TODO: It would be nice to support different login methods, like signed cookies.
    if SESSION_KEY in request.session:
        if request.session[SESSION_KEY] != user.accountid:
            # To avoid reusing another user's session, create a new, empty
            # session if the existing session corresponds to a different
            # authenticated user.
            r_copy = None
            if request.session.has_key(_redirect_field_name()):
                r_copy = request.session[_redirect_field_name()]
            request.session.flush()
            request.user = user
            request.session[_redirect_field_name()] = r_copy
    else:
        request.session.cycle_key()
    request.session[SESSION_KEY] = user.userkey
    #request.session[BACKEND_SESSION_KEY] = user.backend
    if hasattr(request, 'user'):
        request.user = user
    user_logged_in.send(sender=user.__class__, request=request, user=user)